This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I cannot get Wireshark to see network interfaces when I start it under El Capitan 10.11.2

asked 18 Jan '16, 15:56

Boilermaker's gravatar image

Boilermaker
21224
accept rate: 0%

What does the command ls -l /dev/bpf* print?

(18 Jan '16, 19:03) Guy Harris ♦♦

I accidentally sent my response via email only. Here is what I found:

bash-3.2# pwd
/dev
bash-3.2# ls -l bpf* print?
ls: print?: No such file or directory
crw-------  1 root  wheel   23,   0 Jan 14 23:18 bpf0
crw-------  1 root  wheel   23,   1 Jan 14 23:18 bpf1
crw-------  1 root  wheel   23,   2 Jan 19 05:38 bpf2
crw-------  1 root  wheel   23,   3 Jan 18 17:38 bpf3
crw-------  1 root  wheel   23,   4 Jan 14 23:18 bpf4
bash-3.2#

What should the permissions be?

(20 Jan '16, 08:51) Boilermaker

I remember hearing concerns about possible security issues with this command, but after every reboot I type

sudo chmod 644 /dev/bpf*

I am then prompted for my admin password. After that, all interfaces appear in Wireshark...until the next reboot.

permanent link

answered 20 Jan '16, 09:37

MisterFalcon's gravatar image

MisterFalcon
26117
accept rate: 0%

Yes that worked!! Thanks!!! Now the interfaces can be seen!

Here is what I did based on your suggestion:

bash-3.2# ls -l bpf*
crw-------  1 root  wheel   23,   0 Jan 20 12:42 bpf0
crw-------  1 root  wheel   23,   1 Jan 20 12:42 bpf1
crw-------  1 root  wheel   23,   2 Jan 21 00:42 bpf2
crw-------  1 root  wheel   23,   3 Jan 20 12:42 bpf3
crw-------  1 root  wheel   23,   4 Jan 20 12:42 bpf4
crw-------  1 root  wheel   23,   5 Jan 20 12:42 bpf5
bash-3.2# chmod 644 bpf*
bash-3.2# ls -l bpf*
crw-r--r--  1 root  wheel   23,   0 Jan 20 12:42 bpf0
crw-r--r--  1 root  wheel   23,   1 Jan 20 12:42 bpf1
crw-r--r--  1 root  wheel   23,   2 Jan 21 00:42 bpf2
crw-r--r--  1 root  wheel   23,   3 Jan 20 12:42 bpf3
crw-r--r--  1 root  wheel   23,   4 Jan 20 12:42 bpf4
crw-r--r--  1 root  wheel   23,   5 Jan 20 12:42 bpf5
bash-3.2#

I wish Apple would reverse their SIP policy and allow user to install legitimite devices and applications such as wireshark, without dancing around permissions

(21 Jan '16, 10:17) Boilermaker

I just installed Wireshark on an El Capitan 10.11.2 virtual machine, and, after installing Wireshark, there were a lot more BPF devices, they all had permission rw-rw----, and were owned by group access_bpf, all of which is as it's supposed to be.

This persists across a reboot.

Uninstalling Wireshark (complete with uninstalling the launchd service that sets the BPF permissions at boot time), updating to 10.11.3, and installing Wireshark had the same result.

SIP was turned on during the entire process, so it's not as if it's what's getting in the way.

What does the command ls -l /Library/LaunchDaemons/ print on your machines?

(21 Jan '16, 11:12) Guy Harris ♦♦

Mine shows 'org.wireshark.ChmodBPF.plist'.

But the therein referenced '/Library/Application Support/Wireshark' directory is owned by user:group '504:wheel' who is definitely not on this system?

Seems to work though, since after reboot I can have interfaces to capture from.

(22 Jan '16, 04:35) Jaap ♦

On mine - El Capitan 10.11.2, both before and after entering the chmod 644 /dev/bpf* command I see

$ ls -l /Library/LaunchDaemons/
total 48
-rw-r--r--  1 root  wheel  462 24 Apr  2014 com.adobe.fpsaud.plist
[email protected] 1 root  wheel  818 15 Dec 07:53 com.google.keystone.daemon.plist
-rw-r--r--  1 root  wheel  572 17 Nov 10:21 com.oracle.JavaInstallHelper.plist
lrwxr-xr-x  1 root  wheel  103 12 Nov  2014 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool.plist
-rw-r--r--  1 root  wheel  588  7 Sep 09:56 com.oracle.java.JavaUpdateHelper.plist
-rw-r--r--  1 root  wheel  670 16 Oct 04:48 org.macosforge.xquartz.privileged_startx.plist
$

How does one completely uninstall wireshark and he launchd service as mentioned on OSX?

(22 Jan '16, 06:26) MisterFalcon
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×14
×5
×3

question asked: 18 Jan '16, 15:56

question was seen: 7,762 times

last updated: 22 Jan '16, 10:03

p​o​w​e​r​e​d by O​S​Q​A